Blackbaud to Pay $3M Fine for 'Misleading' Customers Following 2020 Ransomware Attack, Data Breach

Blackbaud, a South Carolina-based provider of administrative, donor management, and CRM software to thousands of K–12 private schools, higher education institutions, and nonprofits, has been ordered by the U.S. Securities and Exchange Commission to pay a fine of $3 million to “settle charges for making misleading disclosures about a 2020 ransomware attack that impacted more than 13,000 customers,” the federal agency said in a news release.

The SEC order said that during the ransomware attack, bank account information and Social Security numbers of donors stored by Blackbaud customers were stolen by the attackers, but Blackbaud had told customers the opposite and subsequently omitted the information in quarterly filings with the SEC. 

“On July 16, 2020, Blackbaud announced that the ransomware attacker did not access donor bank account information or Social Security numbers. Within days of these statements, however, the company’s technology and customer relations personnel learned that the attacker had in fact accessed and exfiltrated this sensitive information,” said the SEC order. “These employees did not communicate this information to senior management responsible for its public disclosure because the company failed to maintain disclosure controls and procedures.” 

In its August 2020 quarterly report filed with the SEC, Blackbaud “omitted this material information about the scope of the attack and misleadingly characterized the risk of an attacker obtaining such sensitive donor information as hypothetical,” the agency said.

“Public companies have an obligation to provide their investors with accurate and timely material information; Blackbaud failed to do so,” said David Hirsch, chief of the SEC Enforcement Division’s Crypto Assets and Cyber Unit. 

The agency ruled that Blackbaud violated two sections of the Securities Act of 1933 and one section of the Securities Exchange Act of 1934 as well as Rules 12b-20, 13a-13, and 13a-15(a). 

“Without admitting or denying the SEC’s findings, Blackbaud agreed to cease and desist from committing violations of these provisions” and to pay the fine of $3 million, the agency said.

According to its website, Blackbaud provides cloud-based software for education and nonprofit fundraising and donor relationship management, enrollment, finance, grants and awards, and marketing management. 

Its education customer base includes “24 of 25 top private U.S. colleges as ranked by Forbes,” the Blackbaud website says, and its software powers “93% of higher education institutions with billion-dollar campaigns.” Major universities using its donor management and CRM software include University of Georgia, Notre Dame, University of Louisville, and California State University Long Beach, according to Blackbaud.com.

 

 

About the Author

Kristal Kuykendall is editor, 1105 Media Education Group. She can be reached at [email protected].


Featured

  • college student using a laptop alongside an AI robot and academic icons like a graduation cap, lightbulb, and upward arrow

    Nonprofit to Pilot Agentic AI Tool for Student Success Work

    Student success nonprofit InsideTrack has joined Salesforce Accelerator – Agents for Impact, a Salesforce initiative providing technology, funding, and expertise to help nonprofits build and customize AI agents and AI-powered tools to support and scale their missions.

  • server racks, a human head with a microchip, data pipes, cloud storage, and analytical symbols

    OpenAI, Oracle Expand AI Infrastructure Partnership

    OpenAI and Oracle have announced they will develop an additional 4.5 gigawatts of data center capacity, expanding their artificial intelligence infrastructure partnership as part of the Stargate Project, a joint venture among OpenAI, Oracle, and Japan's SoftBank Group that aims to deploy 10 gigawatts of computing capacity over four years.

  • geometric pattern features abstract icons of a dollar sign, graduation cap, and document

    Maricopa Community Colleges Adopts Platform to Combat Student Application Fraud

    In an effort to secure its admissions and financial processes, Maricopa Community Colleges has partnered with A.M. Simpkins and Associates (AMSA) to implement the company's S.A.F.E (Student Application Fraudulent Examination) across the district's 10 institutions.

  • human profile with a circuit-board brain next to an open book

    Georgia State U and Operation HOPE Program Fosters AI Literacy in Underserved Youth

    A pilot program co-led by Operation HOPE and Georgia State University is working to build technical, entrepreneurial, and financial-literacy skills in Atlanta-area youth to help them thrive in the AI-powered workforce.